Don't think that the firewall is installed, I can't cure you! ! (Trana)

Don't think that the firewall is installed, I can't cure you! ! Article Source: CPU88'S BLOG Original topic: Don't think that the firewall is installed. I can't cure you! ! - How to make TCP packets and UDP packages through the HTTPTunnel technology of this article, through the HTTPTunnel technology of this article, the firewall is simultaneously escaped and the system's tracking test. We can see that network security is only reliable for some or a few means. At the same time, the blindness of the security system will often cause huge security hidden dangers. I hope that the administrator can think about the network security protection system through this article. What is HTTP hidden channel What is a local area network security, how can system administrators protect the security of the LAN? This is a changing security concept. Since a long time, a firewall is placed in the LAN and the outside interconnection, strictly control the open port, and can master the safety of safety, convenient control network. The service that the user can use. For example, just open 80,53 ports on the firewall, so that both internal or external malicious people will not be able to use some service that has proven to be more dangerous. However, pay attention to a little, the firewall is very stupid in a sense, the administrator's excessive dependence on the firewall and the slack emotions that will inevitably form a safe major hidden danger, as a certificate, "channel" technology is one Very good example, this is also discussed herein. So what is channel? The so-called channel here refers to a communication method that winding the firewall port shield. The packets of the firewall are packaged on the packet type or port allowed by the firewall, and then pass through the firewall and the peer communication. When the packaged packet reaches the destination, the data package is restored, and the reduction Data package delivery to the corresponding service. For example: A host system After the firewall, the firewall protection is protected by the firewall, the access control principle of the firewall configuration is only the data of the 80-port, and the B host system is open outside the firewall. Now how to assume what to do from the A system telnet to the B system? Using normal Telnet is certainly impossible, but we know that only 80 ports available, then use the HTTPTunnel channel at this time, it is a good way. The idea is as follows: On the A machine, a Tunnel's Client side is listening. Any specified port of this unit, such as 1234, while pointing data from the 1234 port to the 80 port of the remote (B machine) (note that the 80 port, the firewall is allowed), then in B A server on the machine, which is also hooked on the 80 port while guiding the 80-port forwarded to the Telnet service port 23 of the machine, which is OK. Now on the TELNET native port 1234, according to the setup data packet, it is forwarded to the B machine of the target port is 80, because the firewall allows the data package to pass through the firewall through the 80-port data, to the B machine. At this point, the process of the B-machine is listening to the 80-port receiving the packet from A. The packet is restored, and then pay it back to the Telnet process. When the packet needs to return by b to a, it will be re-transferred by the 80 port, and the firewall can also be successfully passed. In fact, Tunnel concept has been produced for a long time, and it is very likely that readers have used similar techniques, such as the following Website http://www.http-tunnel.com.

It is a company specializing in tunnel services. Through their online Tunnel Server, users of the LAN can use ICQ, E-mail, pcanywhere, AIM, MSN, Yahoo, Morpheus, Napster, etc., which are shielded by the firewall.强 剑  软件 软件 软件 软件 软件 软件 软件 软件 软件 软件.... I. I i i i i i i i i i i i i i i i 都 i i 都 都,,,,,,,,, What is HTTPTunnel as an actual example, let's take a brief introduction to channel software used in the "non-open field", Httptunnel. In httptunnel home page (see Resources) have so end the words, httptunnel creates a bidirectional virtual data connection tunnelled in HTTP requests. The HTTP requests can be sent via an HTTP proxy if so desired. This can be useful for users behind restrictive firewalls ....................................................................................................................................................................................................................................................................................................... A proof of technology, we will give it a general introduction to its use. HTTPTunnel currently has a relatively stable version of 3.0.5, supports a variety of common UNIX systems, including Window platforms. You can download it from the relevant site (see Reference), it is relatively simple, you can do it according to the install file, not introduced here. After the entire software is installed, we will get two key files, HTC and HTS, where HTC is the client (c), and HTS is a Server (s), let's see how the specific use. There is a (domain name client.yiming.com) machine, B (domain name server.yiming.com) machine, both of the two machines are the Solaris environment, and the A machine is in firewall protection, and the B-machine is controlled outside the firewall. Access rules, only the access packets of the Allow 80 and 53 ports. And our task is to use HTTPTunnel from the A-machine Telnet to the B machine to cross the firewall limit. The operation is as follows: First we start the client side on A. The command is simple: client.yiming.com # htc -f 1234 server.yiming.com: 80, the system returns to the prompt, at this moment we can see it with Netstat -an There are more than 1234 ports in the system * .1234 *. * 0 0 0 0 Listen and then launch the Server end on the B machine, the command is as follows: server.yiming.com # hts -f localhost: 23 80 system Back to prompt At this moment, we look at NetStat *. * 0 0 0 0 0 Listen80 port is in the listen state, you need to pay attention, if the system itself runs with a web service (80-port itself is listening), it will not Impact HTTPTunnel work.

OK, Server, and Client are launched, we can start our "channel" test, execute the following command on client.yiming.com: Client.Yiming.com # telnet localhost 1234trying 0.0.0.0 ... Connected to 0.escape character is '^]'. Sunos 5.7this is yiming's private box! Any question, contact me with yiming@security.zz.ha.cnlogin: See the B machine's login prompt, enter the account password See if you work? Login: yimingpassword: (omit here;)) sever.yiming.com # lsbak check go httpd Lost Found MRTG Run Soft WGOK! Normal work is normal, and there is no difference in Telnet. Carefully observe the entire process, you will find that in the first place, trying 0.0.0.0 ..., connection is 0. instead of trying server.yiming.com ..., connect to server.yiming.com, this is very intuitive It can be seen that the Client end is forwarding 1234 packets to the local 80 port. (Then forward to the distal end) instead of connecting the remote B machine directly. The above is a more intuitive test. In order to further verify that Server and Client communications between Server and Client communications, we grasp the data  Pure-Party N stole ERVER to take a capture tool TCPDUMP (see Refigu). Server.yiming.com # tcpdump host.yiming.com on hme014: 42: 54.213699 Client.yiming.com.51767> Server.yiming.com.80: 12379777857: 1237977857 (0) WIN 8760 (DF) 14 : 42: 54.213767 Server.Yiming.com.80> Client.Yiming.com.51767: S 1607785698: 1607785698 (0) ACK 1237977858 WIN 8760 (DF) 14: 42: 54.216186 Client.YIming.com.51768> Server.YIming .com.80:. ACK 1 WIN 8760 (DF) 14: 42: 54.218661 Client.Yiming.com.51768> Server.yiming.com.80: P 1:44 (43) ACK 1 WIN 8760 (DF) 14: 42: 54.218728 Client.Yiming.com.51768> server.yiming.com.80: P 44:48 (4) ACK 1 WIN 8760 (DF) section limited, just intercepting a little packet in the result, but It is already possible to explain the problem, we see that Server and Client have completed three handshakes, then start Push data, and communication is indeed 80 ports. A bit means.

It is seen that it is seen, but it is too straightforward, what is it? We will change the way tcpdump's way of operation, let's take a look at whether Telnet's data is encapsulated within the 80-port packet delivery? Server.yiming.com # tcpdump -x host client.yiming.com 14: 43: 05.246911 Server.yiming.com.80> Client.Yiming.com.51768:. 2997: 4457 (1460) ACK 89 WIN 8760 (DF) 0x0000 4500 05dc 3b23 4000 FF06 E2C2 YYYY YYYY E ...; # @ ... f.d0x0010 xxxx xxxx 0050 DE42 5FD5 AC4F 39ac 016f .f. #. P.b_ .. o9..o0x0020 5010 2238 98e4 0000 746F 7461 6C20 3636 P. "8 .... Total.660x0030 370D 0A64 7277 7872 2D78 722D 7820 2032 7390 3920 726F 6F74 2020 2020 2072 6F6F 7420 9.Root ..... Root. Oh, this time is clear, it should be the output of the LS command, you can clearly see the results of Telnet! Sure enough, Telnet's data is in the 80-port packet! HTTPTunnel's security problem is written Here, we can imagine it, if the administrator trusts the firewall, what kind of consequences will happen in a local area network with such hidden dangers? We can see that the dependence on the firewall has been listed in SANS for many years. TOP 10 security problem. In this case, it will have a problem that it will generate: Is this HTTPTunnel behavior to be discovered? First, we think that the invasion detection system is used, in the current network security design, firewall adds intrusion detection The system is a relatively popular security linkage. Since the HTTPTunnel is bypassed the firewall, then the IDS system? Let's measure the test. In the following test, we will use the IDS system to be Snort, version 1.8.2. Please refer to the reference) This is a more famous open source IDS system. In its description, it is described as a lightweight, cross-platform intrusion detection system, in December 2001, UK independent test experiment. Room NSS Evaluation (see Resources), defeating all the opponents including commercial IDS systems, including ISS, Cisco Secure IDs, Ca Etrust, Cybersafe Centrax, NFR. Interested readers can also see this The article named Open Source Mounts IDS Challenge (see Referring).

Ok, let's take a look at the results, let's take a look, Snort has produced a alarm for the data package arrested throughout the test process, as follows: [**] Web-misc whisker splice attack [**] 12 / 02-14 : 42: 54.389175 Client.yiming.com:51767-> Server.yiming.com:80tcp TTL: 251 TOS: 0x0 ID: 3327 Iplen: 20 DGmlen: 42 DF *** ap *** SEQ: 0x49ca0ba7 ACK: 0x5fd4dce3 Win : 0x2238 TCPlen: 20 = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = [**] Web-misc whisker splice attack [**] 12 / 02-14: 43 : 03.195006 Client.Yiming.com:51767 -> Server.yiming.com:80tcp TTL: 251 TOS: 0x0 ID: 3439 iplen: 20 DGmlen: 41 DF *** ap *** SEQ: 0x49ca0c20 ACK: 0x5FD4DCE3 WIN: 0X2238 TCPlen: 20 = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = [**] web-misc whisker splice attack [**] 12 / 02-14: 43: 04.630268 Client.yiming.com:51768-> Server.yiming.com:80tcp TTL: 251 TOS: 0x0 ID: 3496 Iplen: 20 DGmlen: 41 DF *** ap *** SEQ: 0x49ca0c4e Ack: 0x5fd4dce3 Win: 0x2238 TCPlen: 20 = = = = = = = = = = = = = = = = = = = = =

= = = = = = = = = = = = We see Snort to generate the alarm of Web-Misc Whisker SPLICE ATACK, but this attack is not At the same time, Snort did not perceive the tunnel packet. Thus Snort has two problems of the IDS system, False Positive, False Negative. This is also normal, because this is also a common problem based on signature IDS system. At present, the IDS system includes famous commercial software ISS, NFR, etc., is based on signature, that is, the system maintains a specific attack packet. Data mode signature. When the system is working, check the content of the passed packet, compare the data mode signature in your database, if you sign the same signature, then it is judged a certain attack. From this we can see the existence of several problems: such as the dependence on the signature, it is inevitable to lead two results, False Negative, False Positive. That is to say, it is easy to understand, this is easy to understand, when a new attack mode is new, because there is no corresponding data signature in the IDS system, it is impossible to capture the corresponding attack packet, False Negative by This happens. At the same time, it is also easy to make an too much signature model, just like the example above. At the same time, the dependence on data signature will reduce system performance - through the data packets need to be compared with the IDS system. (See Referring) In addition, the signature-based IDS system itself may be attacked by the characteristics of the signature. An example is Stick. The author of this program uses the IDS system to sign the syndrome matching work principle, send a large number of attack characteristics The packet gives the IDS system so that the IDS system itself has more than the limit, resulting in the IDS system unable to respond. According to the author Coretez Giovanni, running 2 seconds Stick can make the famous commercial IDS system ISS Real Secure crash. From the above we see, complete dependence on the IDS system is also risky. (See Referring) Some solutions seem to rely on the ids of the hand, is unable to detect this behavior, then have other ways? Let's take a closer analysis of the HTTPTunnel packet intercepted in the event. Carefully observe the intercepted HTTPTunnel packets, you can find that the first packet after completing the three handshakes contains a POST action, which is sent from the HTC (Client side) to the HTS (Server).

As follows: 14: 55: 39.128908 Client.yiming.com.51767> Server.yiming.com.80: S 3521931836: 3521931836 (0) WIN 8760 (DF) 0x0000 4500 002C D3CC 4000 FB06 53C9 XXXX XXXX E .., .. @ ... S.F. # 0x0010 YYYY YYYY CA37 0050 D1EC 6A3C 0000 0000 .fd7.p..j <.... 0x0020 6002 2238 1708 0000 0204 05B4 0000 `." 8 ... .... .. @ ... x..f.d0x0010 xxxx xxxx 0050 CA37 AF98 77E4 D1EC 6A3D .f. #. P.7..w ... J = 0x0020 6012 2238 EF79 0000 0204 05B4 `." 8. Y ... 14: 55: 39.131002 Client.yiming.com.51767> server.yiming.com.80:. ACK 1 WIN 8760 (DF) 0x0000 4500 0028 D3CD 4000 FB06 53cc xxxx xxxx e .. (. . @ ... S.F. # 0x0010 YYYY YYYY CA37 0050 D1EC 6A3D AF98 77E5 .fd7.p..j = .. W.0x0020 5010 2238 0737 0000 聽聽 聽聽 聽聽 聽聽 聽聽 聽聽 聽聽 聽聽 聽00. ... 14: 55: 39.132841 Server.yiming.com.80> Client.Yiming.com.51767:. ACK 44 WIN 8760 (DF) 0x0000 4500 0028 CB86 4000 FF06 5813 YYYY YYYY E .. (.. @ .. .X..f.d0x0 010 XXXX XXXX 0050 CA37 AF98 77E5 D1EC 6A68 .f. #. P.7..w ... jh0x0020 5010 2238 070c 0000 P. "8 .... 14: 55: 39.132860 Client.Yiming.com.51767> Server .YIMING.COM.80: P 1:44 (43) ACK 1 WIN 8760 (DF) 0x0000 4500 0053 D3CE 4000 FB06 53A0 xxxx xxxx e..s .. @ ... S.f. # 0x0010 YYYY YYYY CA37 0050 D1EC 6A3D AF98 77E5 .FD7.P..J = .. W.0x0020 5018 2238 D23A 0000 504F 5354 202F 696e P. "8.: .. post./in0x0030 6465 782e 6874 6D6C 3F63 7261 703D 3130 DEX.html ? crap = 100x0040 3037 3838 3034 3836 2048 5454 502f 312e 07880486.http / 1.0x0050 310d 0a 1..1 .. It seems to send a CLIENT-side packet to the Server end, then what reacts? Let's look down, after the above process is completed, HTC and HTS have a handshake (note, another handshake),

As follows: 14: 55: 39.134301 Client.yiming.com.51768> server.yiming.com.80: s 285119948: 285119448 (0) WIN 8760 (DF) 0X0000 4500 002C D3DF 4000 FB06 53B6 xxxx xxxx e .., .. @ ... S.F. # 0x0010 YYYY YYYY CA38 0050 A9F1 D9D8 0000 0000 .fd8.p ........ 0x0020 6002 2238 CF65 0000 0204 05B4 0000 `" 8.e .... .... .. @ ... x..f.d0x0010 XXXX XXXX 0050 CA38 AF99 50A1 A9F1 D9D9 .f. #. P.8..p ..... 0x0020 6012 2238 CF19 0000 0204 05B4 `." 8. ....... 14: 55: 39.136527 Client.yiming.com.51768> server.yiming.com.80:. ACK 1 WIN 8760 (DF) 0x0000 4500 0028 D3E0 4000 FB06 53B9 XXXX XXXX E .. (. . @ ... S.f. # 0x0010 YYYY YYYY CA38 0050 A9F1 D9D9 AF99 50A2 .fd8.p ... p.0x0020 5010 2238 E6D6 0000 0000 0000 P. "8 ..... ..... 14: 55: 39.13733 Client.Yiming.com.51768> server.yiming.com.80: P 1:43 (42) ACK 1 WIN 8760 (DF) 0x0000 4500 0052 D3E1 4000 FB06 538E XXXX XXXX E ..R .. @ ... s. .f. # 0x0010 YYYY YYYY CA38 0050 A9F1 D9D9 AF99 50A2 .fd8.p ... p.0x0020 5018 2238 25CE 0000 4745 5420 2F69 6E64 P. "8% ... get./ind0x0030 6578 2e68 746d 6C3F 6372 6170 3D31 3030 EX.html? Crap = 1000x0040 3738 3830 3438 3620 4854 5450 2F31 2E31 7880486.HTTP / 1.10x0050 0D0A ..14: 55: 39.137379 server.YIming.com.80> client.yiming.com.51768: ACK 43 WIN 8718 (DF) 0x0000 4500 0028 CB90 4000 FF06 5809 YYYY YYYY E .. (.. @ ... x..f.d0x0010 xxxx xxxx 0050 CA38 AF99 50A2 A9F1 DA03 .f. #. p.8. .P ..... 0x0020 5010 220E E6D6 0000 P. "..... 14: 55: 39.139733 Client.YIming.com.51768> server.yiming.com.80: P 43:89 (46) ACK 1 Win 8760 (DF) 0x0000 4500 0056 D3E2 4000 FB06 5389 xxxx xxxx e..v .. @

... S.F. # 0x0010 YYYY YYYY CA38 0050 A9F1 DA03 AF99 50A2 .FD8.P ... p.0x0020 5018 2238 E156 0000 486F 7374 3A20 3230 P. "8.V..host: .200x0030 322e 3130 322e 3232 372e 3638 3a38 300d 2.102.227.68:80.0x0040 0a43 6f6e 6e65 6374 696f 6e3a 2063 6c6f .Connection: .clo0x0050 7365 0d0a 0d0a se .... 14: 55: 39.151300 server.yiming.com.80> Client.Yiming.com.51768: P 1: 170 (169) ACK 89 WIN 8760 (DF) 0x0000 4500 00d1 CB91 4000 FF06 575F YYYY YYYY _.FD "> e ..... @ ... w_.f. D0x0010 XXXX XXXX 0050 CA38 AF99 50A2 A9F1 DA31 .F. #. P.8..p .... 10x0020 5018 2238 E721 0000 4854 5450 2F31 2E31 P. "8.! .. http / 1.10x0030 2032 3030 204f 4B0D 0A43 6f6e 7465 6e74 .200.OK..Content0x0040 2d4c 656e 6774 683a 2031 3032 3430 300d -Length: .102400.0x0050 0a43 6f6e 6e65 6374 696f 6e3a 2063 6c6f .Connection: .clo 0x0060 7365 0d0a 5072 6167 6d61 3a20 6e6f 2d63 se..Pragma : .no-c0x0070 6163 6865 0D0A 4361 6368 652D 436F 6E74 ACHE..CACHE-CONT0X0080 726F 6C3A 206E 6F2D 6361 6368 652C 206E ROL: .NO-Cache, .N0x0090 6F2D 7374 6F72 652C 206D 7573 742 d 7265 o-store, .must-re0x00a0 7661 6c69 6461 7465 0d0a 4578 7069 7265 validate..Expire0x00b0 733a 2030 0d0a 436f 6e74 656e 742d 5479 s: .0..Content-Ty0x00c0 7065 3a20 7465 7874 2f68 746d 6c0d 0a0d pe :. Text / HTML ... From the packet, it can be seen that the HTS (Server) is sent to the HTC (Client) terminal, and it is estimated to go to "take" the data sent just now. Pack, and a new handshake! To verify, we have a client, server end, implement netstat -an, and prove that our observations are correct, as follows: client.yiming.com.51767 server.yiming.com.80 8760 0 8760 0 ESTABLISHEDCLIENT.YIMING. COM.51768 Server.yiming.com.80 8760 0 8760 0 Established in the Server side, execute netstat -an, as follows:

Server.yiming.com.80 client.yiming.com.51767 8760 0 8760 0 ESTABLISHEDSERVER.YIMING.COM.80 Client.yiming.com.51768 8760 0 8760 0 ESTABLISHED Sure, the system on both sides of the firewall has two sockets. Unlike general procedures, this is a relatively special phenomenon. After the GET action is completed, the Server terminal sends a packet to the client side, the content is http / 1.1 200 ok content-length: 102400Connection: Closepragma: no-cache cache-control: no-cache, no-store, must-revAlidate Expires: 0 Content-Type: Text / HTML This should be parameters such as defining the maximum value of packet transmission. The author is noticeable. After the role of these three HTC and HTS, HTTPTunnel is really established, and the work behind can be carried out, and it is very interesting that all subsequent packets have not been taken from the next five0 ports. Get, PUT, POST's content! ! It seems that you can think of a way. The packets that have been said to be 80 ports should be web behavior, then there should be less normal action content such as GET, if the data passed in the 80 port always does not have these stuff, then there must be a problem. Then, then this problem has a solution, which is manually checking the packet passing through the 80-port. If the packet is expressly transmitted, then this behavior is easily discovered. But this behavior can only be viable in theory. Is there any mature such product in a practical operation? According to the data on this idea, it has found that there is a kind of intrusion detection E-GAP system can do aware of the presence of channel software such as HTTPTunnel. It works in the application layer of TCP / IP, and detects the exact of the data packet at the application layer level. Sex, for example, the data packet of the 80-port is detected. If there is always no valid data (URL, GET, PUT parameters) in the packet, the E-GAP system will call and interrupt the connection behavior. (See Referring) Need to note that this detection method is only valid for the express delivery, and if the data is encrypted, then there is no way. So further, if it is encrypted? At present, the author is mastered, StealthWatch hardware products may be a better choice, it fully abandoned the signature-based working mode, but uses a Flow-Base architecture based on the patent, according to several evaluation From the perspective of the laboratory, various attacks, DOS, worms, viruses, etc., and even encrypted communications can be valid. However, its price is also far beyond the ordinary commercial IDS system, and a complete set of facilities takes 40,000 US dollars! Detact effects The authors currently have no condition test. (See Referring) Summary In our test, Httptunnel escaped the firewall's shield and the trace of intrusion detection system, which is worth thinking. We can see that cyber security is only reliable, especially for applications with high security requirements, and often cause huge safety hazards for blind reliance on security systems. Attachment:

Break through the firewall invasion intact